Posted
by
CmdrTacoon Wednesday December 17, 2008 @10:24AM
from the well-lookit-that dept.

bogaboga writes "TG Daily reports that Microsoft quietly released the first update to its IE8 beta 2 to its closest partners last week. This new version only scores a dismal 12/100 on the Acid 3 test, though the score improves significantly if one leaves the [browser] window open for at least a minute. It is marked as 'Release Candidate 1.'"

Actually it does mitigate that vulnerability. Internet Explorer 7 and 8 both have the ability to enable DEP/NX heap protection. Unfortunately, due to certain extensions like Adobe Flash being written like shi... written in such a way that they weren't compatible with DEP/NX (I won't even get into them dodging protected mode, just see: http://keznews.com/4244_Vista_hacked_on_3rd_day_thru_Adobe_Flash__Linux_Undefeated_ [keznews.com]), but anyway, because of extensions like Flash and Java which weren't compatible with DEP/NX, Microsoft was unable to enable by default the DEP/NX protection in Internet Explorer 7 at release. However, you can enable it now since most plugins have been modified to work with DEP/NX.

To enable this protection in IE7 right now, go to Tools, Internet Options, Advanced, and check the check box next to "Enable memory protection to help mitigate online attacks". If you're running IE8 beta 2, you should notice that this check box is checked by default. This change should mitigate a significant number of future remote attacks against Internet Explorer 8.

If you check the advisory, one of the work arounds is enabling the DEP/NX protection in IE7.

This new version only scores a dismal 12/100 on the Acid 3 test, though the score improves significantly if one leaves the [browser] window open for at least a minute.

It's true, it improves to 100/100! The reason you need to leave the browser open for at least a minute is because that's how long it takes to download this extension [opera.com], install it, run the extension and put the acid 3 URL into the extension's address bar.

i never liked IE in the past, but 7 was ok, and I find myself actually liking IE 8. I've never looked at the source code to Firefox, so I could care less about my browser being open source. As far as security holes go... well I have vista with UAC enabled, so I'm not too worried. All browsers have security holes.

I liked IE4/5 compared to NN at that time. I've been less inclined to like IE since around Firebird/fox 0.6 or so, when I switched. It's the plugins that sway me to FF over Opera. IE7/8 isn't so bad, but still has some quirks to it. IE6 in today's web world is an abomination that must die. If people are using older windows, Opera 9 is a far better option. For people on at least Win2k/XP they have very little excuse for the older IE.

IE8 version is a vast improvement, even if passing ACID3 wasn't as high of a priority.

Well-phrased. I'm a FF user, but stray to IE occasionally depending on what I'm doing. I have Opera & Chrome installed too, but I have run them very few times since install.

For me, like (I suspect) the vast majority of web users, a good report card on ACID3 isn't a big selling point. The question is, "Will the pages I use the most render quickly and look nice?" NOT "Is the browser standards-compliant and will it make web development easy for people that I never see or care about?" For right or wron

Acid 3 is not a web-standards test because the "standards"(html 5, css 3) that it tests are not yet standard.

If Microsoft sits on IE and doesn't continue to upgrade it then IE 8 failing ACID 3 is a problem, but as to the best of my knowledge neither of the proposed specifications has been ratified yet and very little of it is actually going to make it into web pages in the next year or so it's not that big a deal.

Passing ACID 2 is a big deal, passing ACID 3 is only a big deal if IE 9 doesn't do it.

well I have vista with UAC enabled, so I'm not too worried. All browsers have security holes.

Yeah--Just like every car has it's problems, that why I choose to drive a Yugo. I mean--why go with a quality car that has fewer problems, when you could get a POS Yugo? All cars break eventually, so why not get one that will break within 5 minutes of owning it?

Even better, get one with no door locks, or even doors themselves--because all cars have security weaknesses...

i just go with the best of both worlds.. i own a volvo and an MG.. one is basicly maintence free for 120k miles.. the other required me to bring my tools to get it running so i could drive it home (well half way.. the other half i used a tow truck)

I wouldn't expect slashdot to look at this objectively, but the GP is correct. The only reason exploits are such a big deal with IE is because of the sheer size of the installed base.

No hacker worth his salt is going to go looking for exploits in a browser with 10% market share. Also contributing to the viability of IE exploits is the fact that if you're running IE, you're running Windows so you know the target OS.

It's not defective by design, it's defective by popular demand. This is hardly Microso

As long as the page I want to see loads in my browser, no I don't. I don't do any web developing or anything related, so why should I care? Oh wait, then I would have yet another reason to bash Microsoft on Slashdot. Ok, I care a lot now!

I also don't know all the inner workings of a combustible engine, yet I still manage to get where I am going in my car. Amazing isn't it?

It's not that anybody loves Internet Explorer. It's just that nobody outside of geekdom loves any browser at all. Arguing over browser popularity is like arguing over gas station popularity. Most people don't care, and don't see any real difference. They're just going to the first one they see.

It's not that anybody loves Internet Explorer. It's just that nobody outside of geekdom loves any browser at all. Arguing over browser popularity is like arguing over gas station popularity.

Sometimes I think that the only real definition of "geekdom" is "a solid understanding of cause and effect".

Most people don't care, and don't see any real difference. They're just going to the first one they see.

That's why when they get a compromised system or otherwise suffer, I don't see them as victims even though I'd rather they not get compromised and I'd rather they not suffer.

They are making a trade-off and are taking a risk of experiencing security flaws for the sake of convenience as the browser is already installed and knowledge of its quality and security history is not needed to use it. They have set their priorities and made their choices and now they experience the results. Really, what rational person (technical or non-technical) expects to have good results when operating an extremely complex machine that they don't understand? Is there anywhere else in life where you can take the very first option to come along without ever looking at your other options and then consider yourself to have made a good choice? That the average person can routinely use a computer this way and have everything work out as well as it does is amazing, but rather than appreciate this we instead scratch our heads and wonder why certain problems (like botnets) just aren't going away.

Maybe this makes me unusual, but I am happy with both Linux and FireFox even if both of them never become anything like mainstream. They are actively developed and have enough of a userbase to ensure this for some time to come, they do what I need them to do, and they run the way I want them to run. I can't say with any certainty that I'd derive any direct benefit from the sort of ubiquity that Windows and IE currently enjoy and I see a certain risk of stagnation if that ever did happen.

Gee, and I though 'the delay' was due to all the malware BHO's fighting over who gets to control your system 'this time'. Ultimately the BHO who gets control of the OS first is likely to win. Once they all stop thrashing each other for the top spot in the chain then the html rendering engine finally gets a chance to receive some precious cpu resources.

And for any IE die-hards out there, the best remedy to keeping your system safe is to make the "Windows Update" site your home page. That extra minute is

By the time IE 10 comes out, it will look like what Netscape 2.0 looks like to today's market. Even today, users hanging on to IE are reminiscent of the die hard users of Netscape 4. Netscape 4 was awful in comparison to IE5, but since it was the only viable alternative to IE, it hung around for quite a while. Life got a lot better when the Internet purged NS4, and it will get a lot better when it purges Internet Explorer.

The only difference between the Netscape 4 debacle and Internet Explorer is that Netscape didn't have the resources to develop a better browser. They ended up needing to spin off browser development, thus resulting in Firefox in the long term. Microsoft has no such constraints. They have nearly everything they need to make IE a better browser, but they don't want to give up their stranglehold on the web.

Well too damn bad. It's only a matter of time before IE loses its majority market share. The more the IE percentages drop, the faster the uptake of alternative browsers.

It's like high end Hi-Fi equipment you have to let the browser window burn in before you can get that richer and warmer internet experience. I always leave my browser to burn in overnight the first time I install it and find pages load quicker when I use oxygen free unidirectional tubes.

Well I used to think like you, no problems with IE, but what changed my mind was when my homepage kept randomly changing to various sites. Then I started getting weird images on my desktop. That's when I realized that IE is basically a giant hole for hackers.

Is a release candidate still considered a beta? I was always under the impression that release candidates were past the "beta" moniker and were part of the next phase of deployment. But I'm an admin, not a programmer, and really have no clue when it comes to that kind of stuff. Coincidentally, I just watched Blade Runner on my Sony Superbeta hi-fi, still looks fantastic after all these years. Suck it, Blu-ray.

In Microsoft speak a RC is a feature complete product, parts are still buggy but the capabilities are in, they still reservice the right to add features but will not remove them.
Now that is not to say that things still will not change for instance with the release of parts of Office 2007 some products would work in the RC phase on Windows 2000 but come release they stopped working. However at that phase you can usally start developing for the new product and it will work on the release with at most minor changes.

I think it's pretty difficult to argue that Windows Server 2008 was not well tested and thoroughly prepared. Can you name something that was seriously wrong with that release? In my opinion (keep in mind I run Ubuntu Server LTS for most of my new deployments), Server 2008 is a truly fantastic OS; it's rock solid, got great features, has full-fledged CLI, and is polished out of the box. Even the licensing is now easy. Or how about Office 2007? Aside from the initial shock at the UI change, it went very well

Well, it was better done than many of their other products but if you are running it I'm sure you know that HyperV was their big selling point and barely works. So, kinda same thing there.Office 2007 still has an excess of problems, and visual studio is probably the one product people are happy with.

I'm not denying that I did make an excess of a blanket statement (I agree, I did) and on rare occasions they release things well tested, but it doesn't seem to be exactly consistent.

Who says it's coming in 6 months?The same people who were talking about MinWin?

Offtopic, but it needs to be said:

MinWin was (recently) mentioned by one guy during a demo of some virtualization stuff. He was running Windows 1.0 and such. He was clearly a very intelligent employee, and while he said they've been working on MinWin, he ALSO said that it's just the COMMON CORE of future Windows releases.

From Shitipedia:

In October 2007, Eric Traut, a developer at Microsoft, demonstrated a self-contained MinWin

Yeah, you'd think that a "release candidate" meant that it was a candidate for the "release" version if no huge problems popped up. That was what the term was invented to mean, AFAIK.

But people abuse these terms pretty heavily, and you have to know how each developer is using them. It seems like Microsoft considers "release candidate" to mean "late beta". They never have any intention of releasing RC1, and they usually have a roadmap includes multiple "release candidates" be released for testing purpose

As someone who does both web security and some web design, I couldn't be happier.
Yes, IE 8 still sucks, but it sucks less then IE 7, which sucks less then IE 6.
IE 8 has some decent rendering improvements, a built in XSS filter, and lots of other changes. In standards compliance it still sucks versus all the compition, but as long as it helps kill off IE 6, I'm happy.

In standards compliance it still sucks versus all the compition, but as long as it helps kill off IE 6, I'm happy.

As someone doing web design for a living for the past 10 years I can tell you that I'm really not happy. At all. I put standards compliance much higher than any gimmick like XSS. If firefox still had all the Extensions (which is hard to live without) but was not standards compliant, I would hate it, a lot.

Another IE that is not standards compliant, means or a new set of rules I cannot use on my code, or another set of hacks (already ahve one for 5, 5.5, 6 and 7

Standards compliance is a non-feature. Give end-users a list of browser features, ask them to rank them, and I can guarantee standards compliance will come in last. The ONLY people who care are web developers, because it makes their job slightly easier. Cry me a river. (And web developers have to QA their page anyway.) Microsoft's time is much better spent on features users actually care about.

Demanding that browser makers drop everything and work only on standards compliance is like telling Toyota they sho

Here's a challenge for Slashdot: explain to me how standards compliance benefits the end-user of the browser.

Standards compliance allows web developers to spend less time in QA and more time developing new features in THEIR applications. So rather than Microsoft developing one or two new features per year in their browser, Every web developer on the planet can develop one or two new features for their site per year. (Those numbers are obviously terrible and asspulled, but you get my meaning I'm sure).

It's similar to being able to write in higher level languages, (Java, Python) over lower level (C, Assembly). Once

I agree completely. It's been a while since I've done any significant web design (Safari was still new the last time I designed a web page), but IE's rendering was the most painful part of the job. I was never that great at web design (it was never my primary job), but the process was always:

Come up with a design

Figure out how to code it according to how HTML/CSS works

Write the markup according to the standards

Now it probably works fine in Firefox, Opera, Safari, Konqueror, and pretty much every web

XSS affects 50% of the websites geared for IE. Not 50% of all websites. Significant difference there.

I agree with the rest though, IE6 is bad and IE7 is worse, so hopefully IE8 won't be too broken. From everything I have seen so far unfortunately, it will be. I seem to recall some controversy with IE8 a few months back too, something about putting it on an XP service pack or something.

Actually, ~50 % of websites tested in the past year by WhiteHat Security. It's the best metric we currently have for security flaws, as WhiteHat has many customers across quite a few industries, and they are all automatically retested over time.
It has little to do with the browser targeted, and everything to do with the web frameworks used, the knowledge of the programmers, and the testing or lack thereof most websites get before deployment.

If you check xssed.com [xssed.com] you'll see that near 100% of websites have had XSS vulnerabilities in the past.

XSS has nothing to do with the browser unless the hacker is an idiot and uses vbscript instead of javascript. Misconfigured bulletin boards, search boxes that print out whatever you searched for without escaping entities, and scripts that use redirects to move from page to page with messages in the URL are probably the top causes.

IE6 is still very popular despite the fact that 7 came out over two years ago. If users haven't upgraded by now, I see no reason why they would when 8 is released.

I'm sure IE8 will be broken in slightly different ways from 6 and 7. So all this really means is we will have to implement hacks for three different versions of a shitty, non-standards-compliant browser for the foreseeable future, instead of two.

IE8 gives a number of mechanisms for either you or Microsoft to request the legacy IE7 renderer for your website. <meta http-equiv="X-UA-Compatible" content="IE=7"> is all it takes to not have to add IE 8 specific version of your website.

Problem: IE >= 7 is for XP and Vista only. There are still a bunch of users out there using IE 5.5 (or worse yet 4 or 3) because they do not want/know how to update. Maybe they are on dial-up and updating is too slow (although I would update on dial-up). Then there are the IE 6 users on Windows 2000. That is the highest they can go, and for a lot of these computers, it makes no sense to upgrade to XP.

When I develop a page, I develop a whole different sheet (that tries its best to look like the original f

Problem: IE >= 7 is for XP and Vista only. There are still a bunch of users out there using IE 5.5 (or worse yet 4 or 3) because they do not want/know how to update.

Where "bunch" is less then 0.1% for all versions lower then 6 combined. IE versions less then 6 are dead, dead, dead, and no one should feel like they need to care about them.
In my experience, the IE 6 problem is caused more by corporate users who have some IE 6 only internal app that keeps them from upgrading their browser. My day job is security testing websites, so I have to keep a copy of IE 6 around also.
There are a few people using win2k or earlier out there, but they are by far the minority(est

If users haven't got the sense to move from IE to Firefox or Chrome, what makes you think that they will upgrade from IE6 or IE7 to IE8? It'll be quite some time before Microsoft pushes out the IE8 update automatically.

This is a highly ignorant comment. A browser should never crash due to poorly written HTML, or due to anything. From the security angle, this is at least a DoS, but likely something more. Take a look at the IE7 0-day which is affecting millions of users. It is not a buffer overflow; it's a simple crash. However, because of JavaScript, one is able to manipulate ("spray") the heap enough to a point where even a simple crash can be used for code execution. ANY crash in a browser should be taken seriously.

As a web designer it really pisses me off to see Microsoft continuing to write their own standards and not follow the conventions set forth so that web pages could look the same across browsers. Passing the acid test should be mandatory and doing so would likely save millions if not billions in lost productivity time between broken websites and the extra hours of work web designers have to put in to work around IE's bugs.

Actually, IE 8 passes the Acid 2 test (yes, they are last, but its an improvement). Not to mention that Microsoft contributed 2524 test cases [gotdotnet.com] to the CSS 2.1 test suite. I'm a web developer, and I know the horrors of developing for multiple browsers (especially IE), but I have to give Microsoft some credit for their interest in standards in this coming IE version.

Also, the acid tests are just one indicator of how well a browser does standards. To make it the defining standards test would not be completely fair. More info on that here [webstandards.org].

...should be a drastic change to Windows, removing Internet Explorer, all Windows dependencies on it; minimalising the DLLs needed for old dumb applications that used IE's rendering engine, and installing a new browser out of a few, namely: Firefox, Opera, Safari, and others that are free and web-standards compliant.

Being that M$ tied their browser to their OS to avoid a court judgment of having an illegal monopoly the main reason they're in this pickle in the first place? You can't nimbly fix bugs or create features if what you do on that level ends up crashing your OS on another level.

Seems to me they've screwed themselves in the long run. They avoided having to removed Internet Explorer from Windows, but now their browser sucks on ice, is bloated, slow and filled with bugs that affect the OS. All of this could have been avoided (not to mention the continued $ hemorrhage of having to pay programmers to work on this) had they just concentrated on a decent OS and let others create the browsers. Instead they have (and still) pig-headedly insist on taking over or competing with every bit of software that touches their computers.

IE7 isn't tied to the OS anymore. Heck, in Vista its not even used for updates or anything of the sort anymore. The catch is the rendering engine IS used by a lot of third parties. A lot of things that "render" something, let say reports, even if they don't look like HTML, often use the IE rendering engine. They're still breaking compatibility with IE8 and redoing it from scratch... its just not something that happens overnight.

One of the reasons I've heard for MS is not fixing all their rendering bugs, is that there are so many web pages out there that already work around the bugs, with user-agent sniffing. i.e. If the user-agent contains "MSIE", then use a different stylesheet, or embed a style attribute in the HTML to override the stylesheet.

But couldn't they fix the bugs if they just changed the user-agent string to not include "MSIE?" Internet Explorer is already a brand name with so much infamy and negative goodwill anyway, that renaming the product makes sense even if they don't fix any of the bugs. But if they do that, then they could fix the bugs too, without triggering all the world's websites' MSIE workarounds.